In this series, I will be discussing all things Product Security: best practices, challenges, regulations, standards, reporting, solutions, the product development lifecycle, different Product Security roles, the state of the art, and the future of our industry.
In this article, we will explore the major pain points faced by Product Security organizations and discuss how to address them.
As a device manufacturing company, protecting your company's products from software threats and vulnerabilities requires constant vigilance, and it can be difficult to know where to focus your efforts. As your Product Security program matures, the pain points change, but rarely get easier.
Managing hundreds of products across multiple lines with hundreds of developers is no easy feat, and understanding and mitigating risks for your organization is a constant challenge.
Regardless of your company’s size, you are likely to encounter these pain points on your Product Security journey.
Pain Point #1: Blind Spots
The last thing you want to say when an incident occurs is, “well, we didn’t see that coming.” Instead, right now, you have to ask yourself - what am I not considering?
As a Product Security professional, you should at least be thinking about:
- Cybersecurity Risk
- License Risk
- Compliance Risk
- Supply Chain Risk
You don’t have to have a full solution for mitigating risk in all these areas, but at least be aware of what can happen, the potential impact to your business, and where you might need to make additional investments.
For connected products, cybersecurity risk areas include:
- known software vulnerabilities
- insecure system configurations
- insecure or weak cryptography
- broken authentication
- insecure services
- unnecessary open ports
- insecure protocols
- insecure updates
- insecure ecosystem interfaces
- insecure data transfer
- storage
- privacy
- hardware vulnerabilities
- potential zero days
Phew. That’s a long list.
There is no single tool that can assess your security in all these areas, let alone factor in licenses, compliance frameworks, and supply chain assurance. It is very likely you are going to need at least a few tools in your arsenal to help you assess your risk and make sure your product development teams aren’t introducing new risks.
Your product security team needs to be aware of these risk areas, understand which may be a concern for your product, and do the due diligence to determine the potential impacts.
Pain Point #2: Incident Response
Incident response is always a challenging task. Tensions are high, people need answers, and you have to figure out just how at risk you are. This is especially complicated when your data is scattered across multiple locations and is difficult to access and correlate. In these situations, it can be unclear where to even begin in terms of gathering the necessary information and determining the root cause of the incident.
This lack of visibility and control can make it difficult to effectively respond to the incident and take the necessary steps to fix the issue. Additionally, if it is unclear who to contact or what resources are available to assist with the response, the process can become even more frustrating and time-consuming. These challenges can significantly hinder an organization's ability to effectively and efficiently manage an incident, potentially leading to costly delays and disruptions.
In the event of an incident, you need to be able to figure out whether you are impacted, and if so, how widespread it is and what you need to do about it, if anything. Depending on the level of maturity of your Product Security organization, you may be working to figure out what tools you should implement first, how to query data in all your tools and correlate it, or how to automate your tools so you can get real-time insight into the risk posture of all your products and be prepared for an incident.
Maturity
The solution for these pain points comes when you mature your Product Security organization. Finite State is developing a Product Security maturity model, which we will publish this quarter, but, for now, I’m going to speak in generic terms of getting from Crawl, to Walk, to Run.
The Crawl Phase
The Crawl phase means doing some type of security scanning and reporting on your products at various points in the product development lifecycle. At this phase, Product Security teams may be satisfied with manually uploading and reviewing results using interfaces provided by each tool. Here, we are effectively trying to "check the box" that we have done at least some security scanning on all of our products in the places we know risk can easily be introduced.
The Walk Phase
The Walk phase is where we have security scanning or a review process for all of our products, and are actively onboarding new scanners wherever deficiencies were identified in the crawl phase. This means we are regularly and actively scanning our products for security, identifying new tools, scanners, and assessment processes for risk areas, and starting to use APIs where possible to integrate with CI/CD and build processes.
The Run Phase
The Run phase is where everything becomes automated, and the expectations are set for every product team in our organization. Integrations with IDEs, scanning tools, CI/CD pipelines, bug tracking, and other orchestration moves to being fully automated. The tools we are using at this phase enable us to reason about license, compliance and supply chain risk, and keep it in context with the rest of the security information about our products so we don’t have to manually collect data from multiple sources to answer questions.
The Run phase is where Product Security teams fully enable their company with real-time visibility into the security and risk context of the products they ship using search tools, notifications, dashboards, integrations, and reporting.
Product Security Programs: Ever-Evolving
Regardless of where your company finds itself in its Product Security journey, your customers and other stakeholders expect you to implement the programs, practices, and procedures that will protect your products from software threats and vulnerabilities.
As you progress from crawl to walk to run, your pain points will change and managing the many devices in your connected product portfolio will never be an easy feat. With the right knowledge, experience, and tools, you can achieve a world-class product security program that protects the connected ecosystem created by your products.
In a future post I’ll talk about additional pain points facing Device Manufacturers, and continue to discuss steps to mature your Product Security organization to help you ship secure products and keep them secure.
About the Author
Nicholas Vidovich is Principal Product Manager with Finite State, the company building the Product Security Platform with market-leading Product Security and Risk Management. He works directly with Product Security teams at global device manufacturing companies and Asset Owners at critical infrastructure utilities, and is committed to Finite State’s mission to protect our connected world.
